40% of surfers don’t bother with browser security updates

A new collaborative study between Google, IBM, and the Swiss Federal Institute …

A recent collaborative study between Google, the Swiss Federal Institute of Technology, and IBM offers new insight into how many people surfing the web are doing so safely. According to the report, a clear majority of users (some 59 percent) are using the latest version of their preferred Internet browser—but that still leaves 40.1 percent who aren't. That's a troublingly high number for anyone working in IT security, given that virtually all (89.4 percent) of the vulnerabilities reported in 2007 were remote exploits. Not all of these exploits specifically targeted the web browser, but it's become the target of choice for an increasingly large percentage of all attacks. Proper browser security is therefore of paramount concern.

The group performed its analysis using Google's database of user information (nonpersonally-identifiable information, mind you). The information in question was gathered between January 2007 and June 2008, and represents some 18 months of browser data. Both minor and major patch versions were considered, as was the date when new patches were actually released. Data was compiled separately for each of the browsers that were tracked, and multiple visits from any given machine were counted only once per day.

This particular analysis is focused on how often end-users apply browser patches, not on market share, but the authors do mention the figures they saw in passing, indicated in the chart below. According to the study, "The absolute worldwide user counts were derived from the global Internet user count of 1,408 billion users." The browser labels in the table refer specifically to IE7, Firefox 2, Safari 3, and Opera 9—IE6, Firefox 3, and Opera 8 were not included.

Data source: Swiss Federal Institute of Technology

The percentile breakdowns for the number of surfers using the latest major version of the browser in question was quite interesting. IE7 is the oldest browser—it was released on October 18, 2006—but only 52.5 percent of the people browsing the 'Net with IE were using IE7. The vast majority of that other 47.5 percent are presumably using IE6, despite Microsoft's repeated and emphatic pleas to upgrade.

Firefox and Opera both have extremely high upgrade uptake—92.2 percent of Firefox users are now using version 2 (remember, no Firefox 3 data here), while 90.1 percent of Opera users were using Opera 9. Safari falls between the two groups with 70.2 percent of all Safari users currently running Safari 3.

The percentage of people using the most secure version of their specific browser is also shown below, and represented by a snapshot of Google data from the first week of this past June. Here we see that the availability of minor updates does not necessarily mean users will quickly adopt them. Firefox fares the best, with its one-click upgrade system, but 16.7 percent of users are still behind when it comes to point updates.

Data source: Swiss Federal Institute of Technology

Patching up the holes

The group of researchers includes several of their own suggestions for improving browser security. Firefox and Opera are both credited for including an auto-update feature, but the team notes that "Firefox’s auto-update was found to be way more effective than Opera's manual update download reminder strategy." How effective? Way more effective. Auto-updates are, however, a Very Good Thing, and the group recommends the feature be included in all browsers. On the corporate side of things, the study recommends that businesses adopt URL Filters, or filters designed to prevent company employees from even touching websites carrying payloads of malicious content.

The final recommendation is that the software industry adopt the same type of labeling system currently used by... the food industry. Under such a system, web browsers would be dated with a "Best before" label, and would automatically flag the user when the browser "expired." Such warnings would not prevent the browser from functioning, but might take the form of a "days since expiration" figure and a message stating that the customer had missed a certain number of patches. Auto-updates seem both more effective and more practical, but those warnings might prompt some users to upgrade who might otherwise avoid doing so.